Posts on Cloud,DevOps, Citrix,VMware and others. Also tracking my Continuous learning from Wintel to open source and development.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.

Monday, August 13, 2018

Using InSpec with Cisco IOS Devices

On Wednesday, August 1, we presented a webinar on using InSpec with Cisco IOS network devices. Today, fewer than 10% of network teams are using any automation tools, yet through the NetOps 2.0 movement, network administrators are starting to adopt some of the best practices from development and operations, realizing, as Gartner says in the Market Guide for Network Automation, that they often "lag behind other domain groups in embracing automation as a way to meet growing business need."

One concrete use case for network automation is to audit and report on device configurations for the purposes of compliance and audit. Network devices are at the heart of an enterprise's infrastructure, since, without a fully-functioning network, all servers, virtual machines, containers and so on are useless. That's where InSpec comes in. InSpec is Chef's open-source tool for DevSecOps. It allows cross-functional application, infrastructure, and security teams to collaborate on and remediate compliance issues through the whole software delivery process.

Using the features built into InSpec 2.0 and launched at ChefConf 2018 with Chef's commercial product, Chef Automate 2.0, customers can easily write InSpec code to validate common network configurations or detect misconfigurations. Examples of controls would be to make sure switches do not unnecessarily have CDP (Cisco Discovery Protocol) turned on, that switch ports without a link are disabled (to prevent malicious actors from connecting an Ethernet cable to wall jacks to get network access), that SNMP communities are not using their default names and that secure SNMP versions are being used, and so on. For example, here's a fragment of InSpec code to ensure that the device has a loopback interface configured:

Many of these network configuration best practices are encapsulated in the Center for Internet Security (CIS) Cisco IOS Benchmarks Levels 1 and 2. With a Chef Automate subscription, you get access to these profiles as well as any bugfixes and updates from CIS. Chef Automate also allows you to initiate scheduled and ad-hoc scans of all your infrastructure including Cisco IOS devices to ensure you're in compliance at all times – and get alerted if something changes.